Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect, svchost.exe activity & Windows Explorer disable


  • Please log in to reply
75 replies to this topic

#1 Arney X

Arney X

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 12 May 2011 - 01:13 AM

Hi, folks!

I have been using your advice to clean up/out infections for years, and I'll take this opportunity to thank you for your excellently detailed tutorials on virus removal. You've saved my system & my sanity many times. I have a virus removal folder on a separate flash drive - with rkill, TDSSkiller & other utilities - that has become invaluable to me over the past year or two.

I want to start out by referencing this string - "http://www.bleepingcomputer.com/forums/topic393454.html/page__hl__google+redirect" - because this user had the exact same issues as I have, and had tried the same remedies that I have, to no avail. Instead of following the advice from the tech who helped him (especially because I'm fearful of using ComboFix unsupervised, and because all system configurations are different), I wanted to post the issue again here.

My infection began as a fake security software come-on, which was similar to a few infections I've received (Paladin, XP Anti-Spyware, etc.). Unfortunately I can't tell you the name of it this time, because as soon as it showed up onscreen, I closed the window in an effort to stop it from loading. I then ran rkill, TDSSkiller and Malwarebytes and quarantined the 11 infections that Malwarebytes found. The system recovered accurately after rebooting, but was running very slowly & took a long time to load. Over the next few days I ran SuperAntiSpyware in addition to the other anti-malware programs and found several other infections. Each time I rebooted, something else would not run correctly or at normal speed, so I checked Task Manager. There were many iterations of svchost.exe, a few of which were showing a lot of activity when nothing was supposed to be running, and several AVG utilities that were running that I had not seen before. The AVG utilities were from AVG 10, but I'm running AVG 11, so I decided to uninstall AVG (I had AVG 9 & 10 in a separate folder) & reinstall a fresh copy.

Around that time (before the AVG activity) one of the reboots would not bring up my desktop shortcut icons or the Windows Explorer taskbar. I Ctrl+Alt+Del'ed to bring up the Task Manager, browsed for the Windows Explorer .exe file and ran it, and brought up the taskbar & icons again. This happened again a few times, a few of the times with no results after running the Explorer.exe and sometimes being redirected to My Documents when I ran it. During this time, any sites I tried to access via a Google search would redirect me to other ad sites. Also, sometimes when on other mainstream sites (AOL, Yahoo, etc.) another window would open on its own with another ad/scam/spam site. That got to be pretty common.

I have since disconnected the system from the internet, and have not had any internal redirect, missing Windows Explorer or svchost.exe overactivity since then. I fully expect that, when I reconnect to run & transmit the reports you need, I'll have the issues again. I'm online right now on a clean computer - although this system is Windows 7 and my system is an XP Home.

As I mentioned, after reading the "http://www.bleepingcomputer.com/forums/topic393454.html/page__hl__google+redirect" string and admiring the speed, thoroughness & professionalism of the tech (Fireman4it), I contacted him/her to ask if I could be helped the same way, since I'm experiencing the same problem. I haven't received a reply, so I thought that maybe a personal message wasn't allowed until I posted my own topic, so here it is. If it's possible to request a Malware Response Team member, I'd like to ask for Fireman4it to help me - but obviously, any one of your techs would be fine.

Thanks very much in advance for your help. You guys are the best kept secret on the web. Thanks for being lifesavers.

- Arney X

BC AdBot (Login to Remove)

 


#2 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 22 May 2011 - 01:46 AM

Hi again, Bleepers!

It's been over 10 days since I posted my request and I haven't heard a word from you. I realize you're all very busy, what with all the viruses & other malware out there, but I'm left to assume that I did something wrong in my original post. I'm sorry if I insulted someone by requesting a particular tech to help me, but I thought it would be quicker to ask for someone who just handled the identical problem. But, as I said, any one of the helpers would be fine.

If the problem is that I didn't post the requested logs yet, it's because my infected computer is disconnected from the internet to avoid any further infections from being compromised by the existing malware.

I don't know what else I may have done wrong for you to ignore my post, while others with similar problems received responses within a day or so, but I apologize and assure you that whatever it was, it was inadvertent. I really need your help, since I rely on my system for personal and business purposes, and have been severely compromised without it. As I said, I don't want to use ComboFix unsupervised - as recommended - but I'm getting pretty desperate.

Please let me know what else you need me to do, or not do, so that I can get a response from you to help me. Thanks again in advance.

- Arney X

#3 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 22 May 2011 - 05:40 AM

Hi,

Follow steps 8 & 9 of Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help instructions to run DDS & GMER tools. Post back output logs of them.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#4 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 01:14 AM

Hi, Blade, and thanks for the response!

I downloaded DDS but am having a problem running it. It opens in Notepad as text, with a lot of unrecognizable characters, with the message at the top line saying "This program cannot be run in DOS mode" and some other file identifiers a few lines down from that. I tried it a few times, downloading a fresh copy each time. I downloaded it to a clean flash drive, then transferred it to my infected computer. I even tried running it from the RUN box in the start menu. Same results - just a huge window full of text (592K).

What's wrong? I'm on a WINDOWS XP Home system with no modifications that I know of. Thanks in advance for your help.

- Arney X

#5 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 02:05 AM

DDS Problem solved for now. Instead of clicking RUN I right-clicked on the icon & clicked on CONFIGURE. That started it up.

Following is the DDS report, and the attached DDS report. But when GMER was running, at some point the screen went black & stopped processing. GMER had been running for a while when this happened. I was only able to retrieve the DDS reports because I saved them to a flash drive before running GMER. I will leave the computer running until you tell me what to do next.

.
DDS (Ver_11-05-19.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Owner at 2:21:13 on 2011-05-24
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.383 [GMT -4:00]
.
AV: AVG Anti-Virus Free Edition 2011 *Enabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: System Shield *Enabled/Updated* {2565CEEE-6BDB-4A6D-AD6D-F682F2695014}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe
C:\Program Files\AVG\AVG10\avgwdsvc.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\iolo\Common\Lib\ioloServiceManager.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe
C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe
C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\progra~1\vision~1\paperp~1\pptd40nt.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\AVG\AVG10\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Authentium\AntiVirus5\vsedsps.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\AVG\AVG10\avgnsx.exe
C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus5\vseamps.exe
C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
C:\Program Files\iolo\System Mechanic Professional\System Shield\ioloSSTray.exe
C:\PROGRA~1\AVG\AVG10\avgrsx.exe
C:\Program Files\AVG\AVG10\avgcsrvx.exe
C:\Documents and Settings\Owner\Desktop\dds.scr
C:\WINDOWS\system32\WSCRIPT.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.aol.com/
uSearch Page = hxxp://srch-us7.hpwis.com/
uDefault_Page_URL = hxxp://us7.hpwis.com/
uDefault_Search_URL = hxxp://srch-us7.hpwis.com/
uSearch Bar = hxxp://srch-us7.hpwis.com/
mSearch Bar = hxxp://srch-us7.hpwis.com/
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
BHO: EWPBrowseObject Class: {68f9551e-0411-48e4-9aaf-4bc42a6a46be} - c:\program files\canon\easy-webprint\EWPBrowseLoader.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: hp toolkit: {b2847e28-5d7d-4deb-8b67-05d28bcf79f5} - c:\hp\explorebar\HPTOOLKT.DLL
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: hp toolkit: {8f4902b6-6c04-4ade-8052-aa58578a21bd} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
uRun: [MSMSGS] "c:\program files\messenger\MSMSGS.EXE" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [Sonic RecordNow! Deluxe]
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
mRun: [nwiz] nwiz.exe /installquiet /keeploaded
mRun: [PS2] c:\windows\system32\ps2.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [MaxBlastMonitor.exe] c:\program files\maxtor\maxblast\MaxBlastMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\maxtor\maxblast\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\maxtor\schedule2\schedhlp.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [PaperPort PTD] c:\progra~1\vision~1\paperp~1\pptd40nt.exe
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVWSzItQUxZTUYtU0xLTFUtQVoyVUItNkdPS0ItSkhGTkg"&"inst=NzctNDc0NTc2MDYwLVNUMSsyLUZQOSs2LVRCOSsyLUZMKzktRjEwTSs1LVFJWDErNC1YMjAxMCsyLUYxME0xMEQrMi1MSUMrNy1GTDEwKzE"&"prod=90"&"ver=10.0.1204
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Toolband.dll/RC_Print.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
LSP: c:\windows\system32\iavlsp.dll
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1273723306281
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1273726958500
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-31-0.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-2-22 22992]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-1-19 32464]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-1-7 248656]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-3-1 34896]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-2-10 296400]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-9-3 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-9-3 55024]
R2 AMP;AMP;c:\windows\system32\drivers\amp.sys [2010-1-19 127016]
R2 AMPSE;AMPSE;c:\windows\system32\drivers\ampse.sys [2010-1-19 1118248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2011-2-15 7421280]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2011-2-8 269520]
R2 ioloFileInfoList;iolo FileInfoList Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-7-18 724152]
R2 ioloSystemService;iolo System Service;c:\program files\iolo\common\lib\ioloServiceManager.exe [2009-7-18 724152]
R2 vseamps;vseamps;c:\program files\common files\authentium\antivirus5\vseamps.exe [2010-1-19 121384]
R2 vsedsps;vsedsps;c:\program files\common files\authentium\antivirus5\vsedsps.exe [2010-1-19 117288]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-3-30 134480]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-2-10 24144]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-2-10 27216]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2009-3-30 133104]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-9-3 7408]
S3 vseqrts;vseqrts;c:\program files\common files\authentium\antivirus5\vseqrts.exe [2010-1-19 158248]
.
=============== File Associations ===============
.
JSEFile=NOTEPAD.EXE %1
regfile=NOTEPAD.EXE %1
scrfile=NOTEPAD.EXE %1
VBEFile=NOTEPAD.EXE %1
VBSFile=NOTEPAD.EXE %1
.
=============== Created Last 30 ================
.
2011-05-05 17:49:02 -------- d-----w- c:\windows\system32\NtmsData
2011-05-03 19:33:55 -------- d-----w- c:\windows\system32\drivers\AVG
2011-05-03 19:32:17 -------- d-----w- c:\program files\AVG
.
==================== Find3M ====================
.
2011-04-12 23:33:38 1409 ------w- c:\windows\system32\tmpEAD13.FOT
2011-03-30 21:17:22 134480 ------w- c:\windows\system32\drivers\AVGIDSDriver.sys
2011-03-15 19:24:20 87688 ------w- c:\windows\system32\IncContxMenu.dll
2011-03-15 19:23:32 11776 ------w- c:\windows\system32\smrgdf.exe
2011-03-15 19:23:26 29696 ------w- c:\windows\system32\iolobtdfg.exe
2011-03-15 19:21:16 2234552 ------w- c:\windows\system32\Incinerator.dll
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 20:05:54 398760 ------r- c:\windows\system32\cpnprt2.cid
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2010-05-26 18:59:44 20854256 ------w- c:\program files\RealPlayerSPGold.exe
2009-06-11 00:48:03 426352 ------w- c:\program files\smpro_dm.exe
2009-06-10 23:25:30 359656 ------w- c:\program files\msicuu2.exe
2008-12-28 07:27:58 13440584 -c----w- c:\program files\Install_AIM.exe
2008-10-29 07:11:07 25740144 ------w- c:\program files\wmp11-windowsxp-x86-enu.exe
2008-10-28 23:24:46 25685128 ------w- c:\program files\wordview_en-us.exe
2008-05-04 09:21:15 51839880 ------w- c:\program files\DivXAuthor.exe
2008-05-04 09:01:28 16500592 ------w- c:\program files\DivXInstaller.exe
2008-01-07 16:19:00 7183027 ------w- c:\program files\klcodec365s.exe
2007-12-20 06:50:45 2755017 ------w- c:\program files\AviSynth_050505.exe
2007-12-07 17:09:47 1247000 ------w- c:\program files\CouponPrinter.exe
2007-11-28 22:14:25 760708 ------w- c:\program files\ac3filter_1_11.exe
2004-12-29 06:20:17 7741352 -c----w- c:\program files\DivX521XP2K.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: MAXTOR_STM3500630A rev.3.AAE -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x863284F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8632e7d0]; MOV EAX, [0x8632e84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x86386AB8]
3 CLASSPNP[0xF7616FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000062[0x8638EF18]
5 ACPI[0xF758D620] -> nt!IofCallDriver[0x804E13B9] -> [0x863C7940]
\Driver\atapi[0x8637AAB0] -> IRP_MJ_CREATE -> 0x863284F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR SI, SI; MOV DI, SI; MOV SS, SI; MOV SP, 0x7a00; MOV AX, 0x7c0; MOV BX, 0x7a0; MOV CX, 0x200; MOV DS, AX; MOV ES, BX; CLD ; REP MOVSB ; MOV DS, BX; JMP FAR 0x7a0:0x5d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8632833B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 2:24:42.39 ===============

Attached Files



#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 24 May 2011 - 10:54 AM

Hi,

uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 11:42 AM

Hi, Blade; thanks for the response.

Just a reminder - I can't do anything with the system right now because the screen went black during the GMER running, and is still black waiting for your instructions on what to do (see the top of my last entry).

#8 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 11:56 AM

Another reminder: I have been disconnected from the internet since I wrote my original post, as I had mentioned there and again in the later response. I don't know if this has anything to do with the screen going black & processing stopping, but I just thought you should factor it into your responses. Thanks again.

#9 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 24 May 2011 - 01:59 PM

Hi,

Please reboot and see if you're able to take those steps in my previous post.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#10 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 02:26 PM

From the black screen I tried to reboot via CTRL+ALT+DELETE. No response. No keys responded at all. I then manually shut down the system & turned it on again. I'm now trying to run GMER again, as noted in your previous post. I'll post the results soon. So far GMER has found "TYPE: Disk; NAME: \Device\Harddisk0\DR0; VALUE: TDL4@MBR code has been found" and I'm now running it without IAT/EAT checked.

#11 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 03:07 PM

During GMER's run the computer again shut down. This time it rebooted itself, with the warning box "The system has recovered from a serious error" appearing on reboot, with the GMER & DDS icons being relocated on the desktop. I'm going to try to run GMER again & try to watch to see when exactly the system shuts down.

#12 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 24 May 2011 - 03:56 PM

This time GMER ran successfully. I've attached the report here. I'll next try to uninstall uTorrent, as advised. I'll wait for your response before I continue - disabling antivirus software & running ComboFix - as instructed by your latest post.

Attached Files

  • Attached File  ark.txt   13.96KB   4 downloads


#13 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 25 May 2011 - 07:33 AM

Hi,

Good. Please proceed with ComboFix next.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#14 Arney X

Arney X
  • Topic Starter

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:CT, USA
  • Local time:09:11 AM

Posted 25 May 2011 - 10:50 AM

I've uninstalled uTorrent, as advised.

I have some questions before I run ComboFix:

Do I need to delete DDS & GMER from my system?
Do I need to uninstall AVG, as it might interfere with some of your steps?
Should I delete ComboFix after using it?
How much of iolo's System Mechanic do I need to disable before running ComboFix?
Malwarebytes & SuperAntiSpyware are not enabled for automatic detection. Do I need to do anything to them before ComboFix?
Do I need to reconnect to the internet at any point during your steps?

As always, thanks for your help & patience.

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:11 PM

Posted 25 May 2011 - 11:16 AM

Do I need to delete DDS & GMER from my system?

No, don't delete those yet.

Do I need to uninstall AVG, as it might interfere with some of your steps?

Yes, uninstall it and keep uninstalled until I give "all clean" sign.

Should I delete ComboFix after using it?

No, don't delete it until I give a permission.

How much of iolo's System Mechanic do I need to disable before running ComboFix?

It shouldn't interfere with ComboFix but you could keep it disabled during ComboFix run if not too much trouble.

Malwarebytes & SuperAntiSpyware are not enabled for automatic detection. Do I need to do anything to them before ComboFix?

No.

Do I need to reconnect to the internet at any point during your steps?

Yes, keep the connection open for ComboFix run.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users